Skip to content

[BUG] Heap Buffer Overflow in DivEngine::loadDMF #2316

New issue
New issue
Closed
Closed
[BUG] Heap Buffer Overflow in DivEngine::loadDMF#2316
Assignees
tildearrow
Labels
bugSomething isn't workingcriticalRequires urgent fixingdoneissue resolved
@0xdd96

Description

@0xdd96
0xdd96
opened on Jan 2, 2025

To Reproduce

Environment

  • OS: Ubuntu 22.04 LTS
  • Compiler: gcc version 11.4.0
  • version: latest commit bc3f0b5

poc: poc

Steps to reproduce the behavior:

CFLAGS="-g -O0" CXXFLAGS="-g -O0" cmake ..
make
run ./furnace -console -vgmout out.vgm $POC

Expected behavior

user@c3ae4d510abb:$ ./furnace -console -vgmout out.vgm $POC

=================================================================
==2418185==ERROR: AddressSanitizer: negative-size-param: (size=-2)
    #0 0x7f49fbe983ff in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x55e76c2f3489 in SafeReader::read(void*, unsigned long) src/engine/safeReader.cpp:64
    #2 0x55e76bfb0f3f in DivEngine::loadDMF(unsigned char*, unsigned long) src/engine/fileOps/dmf.cpp:963
    #3 0x55e76bf76e5b in DivEngine::load(unsigned char*, unsigned long, char const*) src/engine/fileOps/fileOpsCommon.cpp:144
    #4 0x55e76d9244d4 in main src/main.cpp:842
    #5 0x7f49fb79fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 0x7f49fb79fe3f in __libc_start_main_impl ../csu/libc-start.c:392
    #7 0x55e76b4f7fe4 in _start (furnace+0x786fe4)

0x6160000004cb is located 331 bytes inside of 518-byte region [0x616000000380,0x616000000586)
allocated by thread T0 here:
    #0 0x7f49fbf14357 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:102
    #1 0x55e76d923a9e in main src/main.cpp:824
    #2 0x7f49fb79fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
==2418185==ABORTING

Here is some debug info in gdb:

Thread 1 "furnace_new" hit Breakpoint 1, DivEngine::loadDMF (this=0x5555570023a0 <e>, file=0x5555572d3170 ".DelekDefleMask.\f\t\252\001\335\261\336;\326\\\333\026\356\271\262\335\336\026\356\225l\306\271\266]\352\257\251\341\266\313\270/\246\211\263'[r\316&g88V88\177\070\377\200\070\070\070C\306\070\070\070\070\070:8\335\336\001\001\001\001\001\001\001\001\001K.DelekDefleMasK.\033.DelekDefleM sk.\tF\252.DelekDefleMask.\t\t\252\001\335\261\336\361|\256", len=518) at src/engine/fileOps/dmf.cpp:963
963                 reader.read(data,length*2);
(gdb) p length
$2 = 2147483647
(gdb) p length*2
$3 = -2

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingcriticalRequires urgent fixingdoneissue resolved

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions